Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
The current data protection laws in Israel are slightly ahead of the average international curve.
With regard to privacy, Israel’s data protection laws establish high-level standards (eg, restrictions regarding the transfer of data abroad and opt-in consent for spam).
The European Union has held that Israel provides an adequate level of protection to individuals with regard to the processing of personal data and on the free movement of such data, in relation to automated international data transfers. Where these are not automated, they are subject to further automated processing in the Israeli territory (for further information, see Opinion 6/2009 and the EU Commission’s decision of January 31 2011 (2011/61/EU)).
However, some of Israel’s data protection laws are relatively old and outdated. While their provisions lay down general obligations, they fail to establish detailed, comprehensive, clear and specific duties and obligations with regard to certain issues which fall within the realm of data protection and privacy.
Moreover, over the past few years, enforcement of matters touching on data protection has been relatively limited and focused mainly on extreme and clear breaches of privacy and related incidents. Thus, there remain issues in the field of privacy and data protection which are questionable, largely because of the lack of clear-cut case law specifically dealing with the subject.
Are any changes to existing data protection legislation proposed or expected in the near future?
On March 2017, after years of preparation and debates on the issue, the Israeli legislature has approved the Protection of Privacy Regulations (Data Security). The new regulations will come into force a year after the official publication and include specific requirements and arrangements with regard to data security (including matters based on common global standards and norms) and new notification requirements in specific events of a breach, among other provisions.
What legislation governs the collection, storage and use of personal data?
The main two pieces of legislation in the field of privacy and personal data protection in Israel are:
- the Human Dignity and Liberty Law (5752-1992), in particular Section 7; and
- the Protection of Privacy Law (5741-1981).
Section 7 of the Human Dignity and Liberty Law provides as follows (all quotations of Israeli legislation are based on an unofficial translation from the original in Hebrew):
“7. (a) All persons have the right to privacy and to intimacy.
(b) There shall be no entry into the private premises of a person who has not consented thereto.
(c) No search shall be conducted on the private premises of a person, nor in the body or personal effects.
(d) There shall be no violation of the confidentiality of conversations, or of the writings or records of a person.”
The Protection of Privacy Law is the principal Israeli law defining and regulating the basic rules applicable to data protection and privacy issues.
Additional core regulations and guidelines which are relevant to the collection, storage and use of personal data, are:
- the Protection of Privacy Regulations (Transfer of Data to Databases Abroad) (5761-2001);
- the Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal from a Denial of a Request to Inspect) (5741-1981);
- the Registrar of Databases Guideline Regarding the Outsourcing of Personal Data Processing Services (2011/2);
- the Registrar of Databases Guideline Regarding the Use of Security Cameras (2012/4);
- the Registrar of Databases Guideline Regarding the Right to Inspect Voice Records, Video and other Digital Data (2017/1); and
- the Protection of Privacy Regulations (Conditions for Possessing Data and Procedures for Transferring Data Between Public Bodies) (5766-1986).
In addition, the Israeli legal system contains specific laws regulating particular issues and areas of law (eg, credit, banking and medicine) which have, among other things, their own sets of rules on the protection of data and privacy as this relates to those areas.
Another relevant law is the Computers Law (5765-1995), which regulates the basic principles of computers law (including computer invasion and hacking).
Scope and jurisdiction
Who falls within the scope of the legislation?
Any person or entity which is subject to or included within the territorial jurisdiction of the state of Israel falls under the scope of this legislation, with some specific exceptions (eg, security agencies).
What kind of data falls within the scope of the legislation?
Any kind of data included within the term ‘information’, as defined in the Protection of Privacy Law, falls within the scope of the legislation.
The term ‘information’ is defined in Section 7 of the Protection of Privacy Law as “data on the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person”.
Moreover, the Israeli courts have interpreted the term ‘information’ relatively broadly, as encompassing data which may indicate the economic status of an individual or other matters and aspects regarding his or her personal life.
The law also excludes the specific collection of data from the definition of ‘database’ (and thus from the scope of most of the relevant legislation), as follows:
“‘database’ means a collection of data, kept by magnetic or optic means and intended for computer processing, except –
(1) a collection for personal use that is not for business purposes; or
(2) a collection that includes only the name, address and method of communication, which in and of itself does not produce a characterization which can infringe the privacy of the persons whose names are included therein, provided that the owner of the collection or the body corporate under his control does not have another collection.”
Are data owners required to register with the relevant authority before processing data?
According to the Protection of Privacy Law, data owners are required to register their database with the competent regulatory body, namely, the registrar of databases, which is based within the Israeli Law, Information and Technology Authority (ILITA).
According to Section 8 of the law, data owners are required to register their databases only where they:
- contain information on more than 10,000 persons;
- contain ‘sensitive information’ (defined as “data on the personality, intimate affairs, state of health, economic position, opinions and beliefs of a person”);
- include information on persons and the information was not delivered to such database by them, on their behalf or with their consent;
- belong to a ‘public body’ (defined as a government department and any other state institution, a local authority and any other body carrying out public functions under any law, and certain other specific bodies); and
- are used for direct-mailing services.
Is information regarding registered data owners publicly available?
Anyone may apply to ILITA in order to verify whether a specific entity possesses and maintains a registered database.
According to Section 12 of the Protection of Privacy Law, the registrar of databases shall maintain a registry, which shall be open for public review.
Anyone may also inspect any personal data relating to him or her, subject to specific restrictions as set out in the Protection of Privacy Law.
Is there a requirement to appoint a data protection officer?
Yes. This requirement mainly applies to:
- owners of five or more databases where all of these require registration;
- public bodies; and
- banks, insurance companies or companies involved in rating or evaluating credit.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Registrar (ILITA) is responsible for enforcing data protection legislation.
First, it is vested with the power to register databases or to delete, suspend or cancel the registration of any database, and to refuse to register a database (subject to the restrictions specified in the Protection of Privacy Law).
ILITA also has the power to supervise compliance with the Protection of Privacy Law and the regulations thereunder. Within the framework of these powers, it also heads a supervisory unit, which appoints inspectors who are empowered:
- to demand that every person deemed relevant deliver to them information and documents relating to a database; and
- to enter a place in which they reasonably believe that a database is being operated and to search the place and seize objects (including computer material and output, as defined in the Computers Law) if they are convinced that doing so is necessary to ensure implementation of the Protection of Privacy Law and prevent infringement of its provisions.
ILITA also imposes administrative fines on entities which breach the relevant law and regulations.
In addition, other regulators and government bodies and agencies are also responsible for specific data protection regulation under their supervision (eg, the supervisor of banks, the director of capital market insurance and savings department, the Ministry of Health and the Israeli Security Agency).
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data can be collected, stored and processed where:
- an individual has consented to this;
- the personal data has already been lawfully published and thus became legally public; or
- there is a specific legal provision which allows it.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The Israeli data protection and privacy laws do not include specific limitations regarding the period for which records must be retained.
However, specific requirements do exist with regard to certain kinds of data, such as medical (especially in hospitals) and credit data, which dictate that the relevant data be retained for specific minimum periods.
Also, as part of draft guidelines published by the Israeli Law, Information and Technology Authority (ILITA) with regard to identification numbers, ILITA has interpreted the term ‘consent’ of an individual as meaning an individual’s consent to the records being retained as long as required (and no longer).
The bottom line is that, generally, no explicit restriction has been imposed on the period for which an organisation may (or must) retain records.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Every individual is entitled to inspect, either himself or herself or through a representative authorised by him or her in writing or his or her guardian, any personal information about him or her that is maintained in a database (Section 13 of the Protection of Privacy Law).
Moreover, the Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal from a Denial of a Request to Inspect) (5741-1981) set out specific provisions regarding the schedule and manner of inspecting the data.
Do individuals have a right to request deletion of their data?
Yes, particularly where the individual finds that the data about him or her is incorrect, incomplete, unclear or out of date. In those cases, the individual may request that the owner of the database (or, if the owner is a foreign resident, the possessor thereof) amend or delete the information (Section 14 of the Protection of Privacy Law).
Moreover, an individual has the right to request the deletion of his or her personal data where:
- the owner of the database has no legitimate reason for retaining this;
- the data was collected in an illegal manner; or
- the owner does not safeguard the data in a proper and reasonable way.
However, where the owner has a legitimate and reasonable reason for maintaining the data and the data is correct and accurate, it has a legitimate interest in continuing to maintain the data, even if the data subject has requested its deletion.
In addition, where the database is used for direct mailing, any individual whose details are held in the database may demand, in writing, that the owner delete all information relating to him or her from the database (Section 17F(b) of the Protection of Privacy Law).
Is consent required before processing personal data?
Yes. An individual’s consent is required before personal data about him or her can be processed.
Section 11 of the Protection of Privacy Law provides as follows (emphasis added):
“A request to a person for information with a view to the keeping and use thereof in a database shall be accompanied by a notice indicating –
(1) whether that person is under a legal duty to deliver that information or whether its delivery depends on his volition and consent;
(2) the purpose for which the information is requested;
(3) to whom the information is to be delivered and the purposes of such delivery. ”
Moreover, Section 2 of the Protection of Privacy Law provides as follows:
“Infringement of privacy is any of the following: … (9) using, or passing on to another, information on a person’s private affairs otherwise than for the purpose for which it was given”.
Therefore, one cannot store or process personal data without notifying the individual regarding the purpose for which the information is required at the time the information is requested.
There are several exceptions to this rule, which are relevant in specific areas (eg, some credit checks and some medical events).
The term ‘consent’ is defined in the Protection of Privacy Law as meaning “informed, express or implied consent”.
If consent is not provided, are there other circumstances in which data processing is permitted?
As a general rule, no one may process (nor collect) personal data without the consent of the individual in question. Exceptions to the general rule may include cases where the personal data has already been lawfully published and thus become public.
What information must be provided to individuals when personal data is collected?
As established by Section 11 of the Protection of Privacy Law, individuals should be notified of the purpose for which the personal data being collected from them has been requested. Individuals should also be notified whether they are under a legal duty to deliver that information or whether its delivery depends on their volition and consent; and to whom the information is to be delivered and the purposes of such delivery (Section 11). However, this obligation does not necessarily apply where data is being collected under a specific provision of the law (which allows for certain data to be collected without the consent of the individual).
In practice, ILITA also recommends that the individual also be provided with the relevant database registration number at the time he or she is notified.
Data security and breach notification
Are there specific security obligations that must be complied with?
The general obligation regarding data security under Israeli law is generally defined in Section 17 of the Protection of Privacy Law, which provides that: “A database owner, possessor or manager, are each responsible for the information security in the database.”
The term ‘information security’ is defined in Section 7 of the Protection of Privacy Law as “protection of the integrity of the information, or protection of the information from being exposed, used or copied, without lawful permission.”
According to Israeli law, one should act reasonably with respect to all matters concerning data security (taking into account the security considerations to be taken by other entities in similar situations), and must implement reasonable measures, procedures and security efforts to secure the data on the database.
The Protection of Privacy Regulations (Conditions for Possessing Data and Procedures for Transferring Data Between Public Bodies), 5766-1986 impose specific duties regarding data security (see in particular, Section 3(b)). Such duties include, for example, the duty to physically protect the system and the duty to lay down policies and directives regarding the management, storage, processing and transfer of data. Thus, a specific list of people with authority to access the data will need to be prepared and updated from time to time (see Section 3(b)(3a) of the regulations); in addition, Section 3(b)(4) imposes a general duty that reasonable security measures be taken to prevent unlawful database penetration.
Are data owners/processors required to notify individuals in the event of a breach?
Israeli law has no specific provisions for notifying individuals in the event of a breach.
Nonetheless, such a duty may arise by virtue of general obligations set out in Israeli law (including, contracts law, by virtue of the duty of care doctrine and depending on the potential damage, and other parameters giving rise to the nature of the event).
As a rule of thumb, where the risk of harm being caused to individuals increases as a result of the breach (and especially when time is of the essence), the duty to notify individuals intensifies correspondingly.
Are data owners/processors required to notify the regulator in the event of a breach?
Data owners or processors are not required to notify the regulator in the event of a breach.
However, there are specific areas (especially with regard to sensitive data, such as banking) where such notification does becomes mandatory.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes. The approach to spam involves opt-in consent, which implies that spam may not be sent without first receiving the addressee’s consent.
The relevant provision dealing with spam is Section 30A(b) of the Communications Law (Telecommunications and Broadcasting) (5742-1982), which provides: “No advertiser shall transmit an advertisement by or through facsimile, an automatic dialling system, an electronic message or SMS, without receiving the express prior written consent of the addressee, including by an electronic message or in a taped conversation.”
This stringent requirement obliges the advertiser to secure the “express prior written consent” of the addressee before sending any spam (whether by facsimile, an automatic dialling system, an electronic message or text message).
However, there are exceptions. An advertiser may transmit an advertisement even if consent was not obtained from the addressee, if all of the following hold true (see Section 30A(c) of the Communications Law):
- the addressee provided his or her details to the advertiser in the course of purchasing a product or service, or in the course of negotiating the said purchase, and the advertiser notified him or her that these details would be used for sending advertisements;
- the advertiser has given the addressee an opportunity to notify it of his or her refusal to receive said advertisements, generally or with respect to a certain type of advertisement, and the addressee did not do so; and
- the advertisement refers to a product or service of a type similar to the product or service purchases by the addressee.
There are additional specific exceptions to the Communications Law, especially with regard to donations and political messages.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
The main rules governing the transfer of data outside of Israel are the Protection of Privacy Regulations (Transfer of Data to Databases Abroad) (5761-2001).
Are there restrictions on the geographic transfer of data?
Yes. According to the Protection of Privacy Regulations (Transfer of Data to Databases Abroad) (5761-2001):
“A person shall not transfer, nor shall he enable, the transfer abroad of data from databases in Israel, unless the law of the country to which the data is transferred ensures a level of protection no lesser, mutatis mutandis, than the level of protection of data provided for by Israeli Law” (Section 1).
The regulations also specify certain core principles which will need to be complied with in the foreign country (to which the data is transferred), in order to permit the contemplated transfer.
In addition, the regulations also list various exceptions for facilitating the transfer of data abroad, for instance:
- the data subject has consented to the transfer;
- the data is transferred to a corporation under the control of the owner of the database from which the data is transferred, and it has guaranteed the protection of privacy after the transfer;
- the data is transferred to a person (or entity) bound by an agreement with the owner of the database from which the data is transferred, to comply with the conditions for the possession and use of the data applying to a database in Israel, the necessary changes having been made; and
- the data is transferred to a database in a country which is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data (or which receives data from member states of the European Union, under the same terms).
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Yes. According to Israeli law, a data controller may not transfer personal data to a third party without first obtaining the consent of the data subject.
There are certain exceptions to this, one of which is the outsourcing of personal data processing services.
The owner of a database may outsource personal data processing services, via a third party (a supplier) and, as part of the outsourcing, the owner may transfer data to third parties, even without the individual’s specific consent. This exception is subject to the Registrar of Databases Guideline Regarding the Outsourcing of Personal Data Processing Services (2011/2) (which imposes, among other things, a series of demands and restrictions regarding both the database owner and the supplier of the services, in order to protect the privacy of the individual and maintain data security. For example, the supplier must explicitly undertake not to transfer the data to a third party, and must destroy and erase all the data as soon as it finishes processing it for the owner).
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
The maximum penalties are specified in Section 16 of the Protection of Privacy Law, which provide as follows:
“No person shall disclose any information obtained by him by virtue of his functions as an employee, manager or possessor of a database save for the purpose of carrying out his work or implementing the Law or under a court order in connection with a legal proceeding; where the request is made before a proceeding has been instituted, it shall be heard in the Magistrate’s Court. A person who infringes the provisions of this section shall be liable to imprisonment for a term of five years.”
Section 5 of law also imposes a maximum of five years’ imprisonment in the case of wilful infringement of the privacy of another, among other things, by using or transferring information about a person’s private affairs other than for the purpose for which the information was given.
Section 31A of the law also imposes a maximum of one year’s imprisonment for violations of specific sections of the law.
The potential penalties also include fines of up to IS226,000 (depending on the specific sanction).
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. This right arises by virtue of Israeli general law (eg, contracts law and torts law). Section 4 of the Protection of Privacy Law provides that: “An infringement of privacy is a civil wrong, and the provisions of the Civil Wrongs Ordinance (New Version) shall apply to it subject to the provisions of this law.”
Moreover, according to Section 31B of the law, an act or omission in violation of the law’s provisions or in violation of regulations enacted under the law shall be a wrong under the Civil Wrongs Ordinance (new version).
In addition, Section 29A states that in certain cases (as part of Criminal or Civil procedures), the court may order anyone who breaches the law to pay the injured person statutory damages of up to IS50,000 (this sum is updated according to changes in the Consumer Price Index).
Moreover, in case of a civil procedure in which it is proven that the infringement was made with the deliberate intent to cause harm, the court may order the defendant to pay the plaintiff statutory damages of up to IS100,000 (this sum is updated according to changes in the Consumer Price Index)
Statutory damages are also found under the Communications Law, under which a court may order a person (or entity) who knowingly breached the laws regarding spam to pay IS1,000 for every spam message it sends.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes. The Computers Law sets out the basic rules in the field of cybercrime and, in particular, prohibits the unauthorised invasion of other computers, as described below.
The Israeli Wiretapping Law (1979 – 5739) also covers certain aspects of cybercrime.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Israel joined and adopted the European Convention on Cybercrime (Budapest Convention), subject to certain (permitted) reservations.
In addition, the Standards Institution of Israel has published and adopted certain (voluntary) standards relating to cybersecurity. These include, for instance, SI ISO 27001, SI ISO 27799, SI ISO 15408 and SII 1495.
Which cyber activities are criminalised in your jurisdiction?
The main cyber activities which are criminalised in Israel are as follows:
- Disrupting the orderly operation of a computer or interfering with its use.
- Deleting computer material, causing it to change, disrupt or otherwise interfere with its use.
- Transmitting to another computer or storing false information or performing any act with respect to information which results in the generation of false information.
- Writing software, running software or storing a program on the computer which will cause the computer to generate false output or information, or operating a computer by using such software.
- Unlawfully penetrating a computer material – the Israeli Supreme Court has in the past interpreted this criminal offence broadly.
- Editing software in a way that will cause it to do any of the acts listed below (for illegal purposes):
- disrupting the smooth running of the computer or interrupt the use thereof;
- deleting computer material, causing it to change, or otherwise disrupt or interfere with its use;
- generating false output or information;
- penetrating the computer material;
- wiretapping; and
- infringing privacy.
- Distributing or publicly offering, transferring or installing a password, software, device, access code or similar information in another’s computer, for the purpose of performing any of the acts enumerated above.
Which authorities are responsible for enforcing cybersecurity rules?
The Israeli Security Agency and the National Cyber Defence Authority have certain enforcement responsibilities with regard to entities which supply essential services to the public.
However, in general, the majority of the civilian Israeli market is subject to enforcement of the Israeli police, which is responsible for enforcing cybersecurity rules. Additionally, certain inspection aspects pertaining to cybersecurity also fall within the responsibility of the Israeli Law, Information and Technology Authority.
In addition, Israel recently established the Israel National Cyber Event Readiness Team (CERT-IL) as a wing of the National Cyber Defence Authority. This supplies real-time assistance in case of cyber-attack and recommendations regarding cybersecurity, on a voluntary basis.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes. According to Israeli law, companies can obtain insurance for cybersecurity breaches. This practice is becoming more and more common as the issue becomes more relevant.
Are companies required to keep records of cybercrime threats, attacks and breaches?
In general, companies are not specifically required to keep records of cybercrime threats, attacks and breaches.
Nonetheless, failure to maintain such records may be considered unreasonable business conduct and may expose the company to tort claims.
In some specific areas (eg, medical data) there is a specific mandatory duty to maintain records of unusual occurrences (see Section 15 of the Protection of Privacy Regulations (Conditions for Possessing Data and Procedures for Transferring Data Between Public Bodies) (5766-1986)).
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
In general, data owners or processors are under no duty to report cybercrime threats, attacks and breaches to the relevant regulatory bodies.
However, in certain specific fields (especially regarding essential services or sensitive data such as banking) notification is mandatory under the relevant regulations.
In the case of cyberattacks (and in general) companies may apply, on a voluntary basis, to CERT-IL, and obtain government assistance.
Are companies required to report cybercrime threats, attacks and breaches publicly?
In Israel, companies are not specifically required to report cybercrime threats, attacks and breaches publicly. Nonetheless, such duty may well arise (at least, regarding specific individuals harmed by such cybercrime threat, attack or breach) by virtue of the general obligations of Israeli law (including contracts law, by virtue of the duty of care doctrine, and depending on the potential damage and other parameters giving rise to the nature of the threat, attack or breach).
As a rule of thumb, where the risk of damage being caused to individuals because of the cybercrime threat, attack or breach becomes greater (and especially when time is of the essence), the duty to notify intensifies correspondingly.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The potential penalties include imprisonment for maximum periods of three or five years (depending on the specific penalty).
What penalties may be imposed for failure to comply with cybersecurity regulations?
The potential penalties include fines of up to IS226,000 (depending on the specific sanction).